Chief Information Security Officer (CISO)

CEX.IO Europe is in the final stages of obtaining authorisation under the EU Markets in Crypto-Assets Regulation (MiCA) as a Crypto-Asset Service Provider (CASP) in Spain. As part of our regulatory readiness and local substance requirements, we are actively recruiting a Spain‑based Money Laundering Reporting Officer (MLRO).

The CISO will be the primary local official responsible for ensuring the digital operational resilience of CEX.IO Europe S.L. in accordance with Regulation (EU) 2022/2554 (DORA).

The CISO’s core mandate is to maintain an effective local capacity for decision-making, supervision, and questioning over all ICT functions delegated to the servicer company, part of the group. This includes the explicit authority to understand, supervise, question, approve, reject, or nullify any technical action, proposal, or recommendation from the Group service provider that impacts EU operations.

The CISO is responsible for the independent management of technology and cyber risks within the Spanish jurisdiction, ensuring operational substance and digital resilience. The CISO acts as the principal technical liaison and accountable officer for the CNMV and Bank of Spain, on all cybersecurity, DORA compliance, and DLT-related supervisory matters.

Responsibilities

• DORA & MiCA Governance: Lead the implementation and maintenance of the ICT risk management framework to meet CNMV and ESMA standards


• Oversight of Delegated Functions: Supervise and control ICT services provided by CEX.IO Ltd (UK), including cloud infrastructure, software development, and security operations


• ICT Risk Management: Identify, assess, and mitigate technological risks. Conduct annual reviews of the Business Impact Analysis (BIA) and the ICT Risk Assessment


• Incident Management: Act as the ultimate authority for initiating the Incident Response Plan (IRP) for high and critical levels. Coordinate the notification of major incidents to the CNMV within mandated timelines (4h/72h/30 days)


• Third-Party ICT Security: Supervise critical ICT third-party service providers, with a focus on monitoring and ensuring compliance with agreed SLAs, RPOs, and RTOs


• Custody Security: Oversee the security of crypto-asset custody solutions (Proprietary V2/V3 and external sub-custodians, like Coinbase). Ensure the integrity of MPC (Multi-Party Computation), HSM (Hardware Security Modules), and multisig signing processes.


• Secure SDLC Oversight: Supervise the Secure Software Development Life Cycle and validate security testing in pre-production (UAT) environments before deployment


• Resilience & DLT Testing: Approve and collaborate on operational resilience testing plans and specific tests regarding Distributed Ledger Technology (DLT)


• Inventory Management: Maintain a unified and centralized inventory of CEX.IO systems and infrastructure

Requirements and Qualifications

• University degree in Engineering, Computer Science, or Cybersecurity (ideally complemented by relevant certifications such as CISM or CISSP).


• Proven track record in building cybersecurity frameworks and complying with EU financial regulations (DORA, MiCA, PCI DSS)
  
  

Technical Knowledge:

• Secure cloud architecture (specifically AWS environments)


• Vulnerability management and monitoring tools (Grafana, Kibana, SIEM)


• Cryptographic protocols and secure private key management


•  Strong communication skills for interacting with regulators and the ability to lead global technical teams under a "hub and spoke" operational model